Compliance Question of the Week 2019
Did the U.S. Department of Housing and Urban Development (“HUD”) recently clarify its requirements in relation to documenting the transfer of gift funds?
Yes, as part of the revised HUD Handbook 4000.1 (the “Handbook”), issued March 27, 2019, HUD clarified its requirements for verifying and documenting the transfer of gifts from a donor to a Borrower.
Specifically, the Handbook now indicates in relevant part:
- If the gift funds have been verified in the Borrower’s account, obtain the donor’s bank statement showing the withdrawal and evidence of the deposit into the Borrower’s account.
- If the gift funds are not verified in the Borrower’s account, obtain the certified check, money order, cashier’s check, wire transfer, or other official check evidencing payment to the Borrower or settlement agent, and the donor’s bank statement evidencing sufficient funds for the amount of the gift (pg. 230).
Regardless of when gift funds are made available to a Borrower or settlement agent, the mortgagee must be able to make a reasonable determination that the gift funds were not provided by an unacceptable source.
Italicized language above indicates revisions made to the Handbook.
What requirements do residential mortgage lenders have in regard to notifying their Board of Directors (the “Board”) and/or Executive Management of suspicious activity report (“SAR”) filings?
A compliant and effective AML Program includes, among other components, active involvement and oversight by a mortgage lender’s Board and/or Executive Management. Active involvement and oversight requires obtaining sufficient information on SAR investigations and filings so that the Board – or a Board’s equivalent, such as an Executive Management Committee – is able to fulfill its fiduciary duties to the company.
Several federal agencies have issued guidance regarding notification requirements for Board members. This guidance may be useful for mortgage lenders in determining how and what to communicate to Board and/or Executive Management members with regard to SAR filings. Specifically, the Federal Financial Institutions Examination Council’s (“FFIEC”) Bank Secrecy Act / Anti-Money Laundering Examination Manual includes a Suspicious Activity Reporting – Overview section, which indicates in relevant part:
“Banks are required by the SAR regulations of their federal banking agency to notify the board of directors or an appropriate board committee that SARs have been filed. However, the regulations do not mandate a particular notification format and banks should have flexibility in structuring their format. Therefore, banks may, but are not required to, provide actual copies of SARs to the board of directors or a board committee. Alternatively, banks may opt to provide summaries, tables of SARs filed for specific violation types, or other forms of notification. Regardless of the notification format used by the bank, management should provide sufficient information on its SAR filings to the board of directors or an appropriate committee in order to fulfill its fiduciary duties, while being mindful of the confidential nature of the SAR.”
Additionally, Section 8.1-46 of the Federal Deposit Insurance Corporation’s (“FDIC”) Risk Management Manual Examination Policies explains in relevant part:
“Section 353.3 of the FDIC’s Rules and Regulations requires the financial institution’s board of directors, or designated committee, be promptly notified of any SAR filed…
- Customer’s name and any additional suspects;
- Social Security Number or TIN;
- Account number (if a customer);
- The date range of suspicious activity;
- The dollar amount of suspicious activity;
- Very brief synopsis of reported activity (for example, “cash deposit structuring” or “wire transfer activity inconsistent with business/occupation”); and
- Indication of whether it is a first-time filing or repeat filing on the customer/suspects.
Such a tracking report promotes efficiency in review of multiple SAR filings. Nevertheless, there are still some SARs that the board of directors, or designated committee thereof, should review individually…. Financial institutions are encouraged to develop their own parameters for defining ‘significant SARs’ necessitating full reviews; such guidance needs to be written and formalized within board approved BSA policies and procedures.”
When does transitional licensing go into effect and how will it work?
Pursuant to Section 2155 of the federal Economic Growth, Regulatory Relief, and Consumer Protection Act, MLO transitional licensing authority goes into effect on November 24, 2019.
Under the law, the following individuals may be granted temporary authority to act as a mortgage loan originator (“MLO”) while completing state-specific requirements for licensure, such as education or testing:
- qualified MLOs who are changing employment from a depository institution to a state-licensed mortgage company; and
- qualified state-licensed MLOs seeking licensure in another state.
NMLS published FAQs entitled, “Temporary Authority to Operate (Temporary Authority) for Mortgage Loan Originators“.
Importantly, the FAQs explain that a MLO will not have to submit a separate application for temporary authority. Rather, an MLO applies for a MLO license through NMLS and, if eligible, will automatically receive temporary authority as the applicable state processes the license application. NMLS will be programmed to check certain eligibility requirements, such as criminal history and whether an applicant has had an MLO license application denied, revoked, or suspended. Before a licensing decision is made by the applicable state, an individual with temporary authority will show as being “authorized to conduct business” in the state – the actual license status will not be updated until the state makes a decision with regard to the license application.
An individual with temporary authority may originate loans as if he/she possesses a license in that state. The individual and the loans originated by that individual will be subject to the same rules and regulations as applicable to a licensed MLO.
IMPORTANT component though, mortgage lenders must monitor the status of an individual’s license application and temporary authority to act as a MLO. If the MLO’s application is ultimately denied, the mortgage lender must reassign any active loans in the pipeline originated by that MLO to a licensed MLO in that state. Further, if a mortgage lender knew of or should have known of a disqualifying event that would cause a license application to be denied, the mortgage lender could face enforcement action by the state for failing to disclose such event. For this reason, it is important to perform background checks and other due diligence on MLOs prior to sponsoring license applications.
Refer to AGMB’s prior Compliance Question of the Week: “Is it true there is a new law that permits transitional licensing authority for mortgage loan originators (MLO)?” for detail regarding eligibility requirements and additional information on temporary authority.
Should I maintain a visitor log at my front entrance?
Yes, visitors pose a risk to privacy and security. All companies, especially those in the financial industry who handle consumer non-public and confidential information (NPPI/PII), should maintain a visitor log at each office entrance in order to audit visitors and ensure only authorized individuals are permitted to access the facilities. At a minimum, a visitor log should include the date, time in, visitor’s name, person being visited, reason for the visit, and time out. The employee permitting the visitor should verify the visitor’s identity by reviewing the visitor’s government-issued photo ID to ensure they are who they say they are.
A visitor log will also serve as a vital reference tool in the event of unforeseen events (i.e. theft, active shooter situations, or incident breaches) and in an emergency evacuation as it will help accurately account for individuals present within the facility. Mortgage lenders should review branch office visitor logs as part of their branch office oversight procedures to ensure they are being maintained appropriately.
If my third-party provider (“vendor”) has access to consumer personally identifiable information, should provisions addressing the protection of such information be included in the Contractual Agreement with the vendor?
Yes, written agreements with third-party providers should address potential risks associated with data breaches — particularly when the vendor has access to consumer personally identifiable information. The vendor contract is a vital element of the vendor due diligence process and relationship. The contract should capture the nature of the relationship and set forth the contractual rights, obligations and duties of each party. This includes confidentiality requirements, responsibilities in the event of a breach, and liability provisions.
Since written contracts are a critical component of a sound vendor management program, regulators may review them with a degree of scrutiny. Failure to maintain sufficient protections within vendor contracts and address risks appropriately may result in unsatisfactory results during a regulatory review or examination. Additionally, insufficient contract protections could expose a company to added civil liability in the event of a breach.
Why is it important to have an adequate compliance training program?
It is important for a residential mortgage lender to develop and implement a written compliance training program to provide employees with the tools needed to succeed given the various rules and regulations that apply and because of the constant regulatory changes. Regardless of a residential mortgage lender’s size, a well-developed compliance training program is a critical component to an effective compliance management system (“CMS”). As part of a thorough CMS, a robust training program helps a company and its employees keep up-to-date on regulatory changes that may impact the business, make correct decisions, manage risks, and avoid costly errors or other legal and/or compliance missteps.
A residential mortgage lender’s compliance training program should be current, effective, and commensurate with the entity’s size and risk profile. Oftentimes, this requires training courses to be specifically tailored to reflect how a company operates. It is important that all employees be familiar and in full compliance with a company’s policies and procedures, as well as federal and state consumer protection laws. Employees should also receive comprehensive training based upon their job functions and responsibilities.
Per the Consumer Financial Protection Bureau’s Summer 2013 Supervisory Highlights edition (http://files.consumerfinance.gov/f/201308_cfpb_supervisory-highlights_august.pdf), mortgage lenders must provide ongoing training to Board members management and staff. Further, certain federal and state rules and regulations require training on specific subject matters at least annually. For example, mortgage lenders must provide anti-money laundering and privacy/security awareness training at least annually.
It is recommended that all training (whether informal or formal) be tracked and memorialized so that a mortgage lender can demonstrate to its regulators that employees are properly completing courses. Further, requiring a test component helps ensure employees are sufficiently grasping the material presented. It is important to note that no two compliance training programs will be identical. Your company’s size, organizational structure, and geographical reach may dictate the structure of your program.
I’m applying for Fannie Mae approval but am unsure of the difference between a Quality Control Audit (QC) and Internal Audit. What exactly is the difference?
A mortgage lender is required, for a variety of reasons, to implement a QC program that identifies credit and/or regulatory issues in its origination and servicing functions, as applicable. A QC audit looks at the end product, regardless of whether the process is credit or compliance focused. Generally, QC audits, which are forms of transactional testing, are narrower in scope than Internal Audits.
Internal Audits review for and identify a variety of items such as credit, regulatory, operational, financial, and reputational risks. An Internal Auditor looks at the process itself and independently evaluates the risks and control activities within the process. To this end, an Internal Auditor will perform a number of tasks, such as review policies, procedures, and reports, conduct management interviews with the respective business units to gather information on the process evaluated, document evidence of the process through walkthroughs, and perform transactional testing, as needed. The focus is not necessarily on the end product as is the case with a QC audit, but rather the focus is on the adequacy, soundness, and effectiveness of internal controls within a process to ensure that the mortgage lender attains the end result sought while complying with Agency and investor guidelines, laws and regulations and industry best practices.
When will it be mandatory to use the new Uniform Residential Loan Application (URLA) and what are some of the changes?
Originations commencing July 1, 2019 may use the redesigned URLA and all new loan applications commencing February 1, 2020 must use the new URLA. Given that the new URLA was designed to make it easier for lenders to acquire data required by HMDA, it is expected that lenders will require use of the new URLA before the mandatory implementation date in February 2020.
The application has more than doubled in size. The length of the new URLA will vary depending on the number of borrowers, type of loan and type of the transaction (sections are added or deleted based on loan scenarios). The look and feel of the redesigned URLA is similar to the Loan Estimate and Closing Disclosure and contains what is considered more easily understood language and clearer instructions. The GSEs also created a Spanish version of the new URLA form. However, a completed English URLA must be signed by all applicants.
A few highlights of the new URLA are as follows:
- New fields have been added based on new federal regulations. For example, there are correct fields for the new demographic information required by HMDA since January of 2018 thereby retiring the Demographic Information Addendum currently utilized.
- Obsolete fields have been eliminated. For example, the applicant is no longer required to list the make and model of their automobile.
- There is defined separation of individual borrower applications.
- The information a borrower must provide, acknowledge and agree to has been separated from the information the broker/lender collects and verifies in connection with the processing and underwriting of the loan.
The redesigned URLA, as well as some FAQs and hints, can be found on the Fannie Mae website here: https://www.fanniemae.com/singlefamily/uniform-residential-loan-application
The new URLA is a complete reinvention of the origination of a loan. Brokers and lenders will need to start collecting much more information, which was not previously collected. It is advisable to review the new URLA and start planning how you will collect that data once required.